1.0.1

+ Prototype Pollution fix
+ dependencies are up to date

Author: strikeentco

.travis.yml

@@ -1,7 +1,7 @@
 language: node_js
 node_js:
-  - "8"
-  - "6"
+  - "12"
+  - "10"
 before_script:
   - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
   - chmod +x ./cc-test-reporter

LICENSE

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2018 Alexey Bystrov
+Copyright (c) 2018-present Alexey Bystrov
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,8 +1,8 @@
 set [![License](https://img.shields.io/npm/l/@strikeentco/set.svg)](https://github.com/strikeentco/set/blob/master/LICENSE)  [![npm](https://img.shields.io/npm/v/@strikeentco/set.svg)](https://www.npmjs.com/package/@strikeentco/set)
 ==========
-[![Build Status](https://travis-ci.org/strikeentco/set.svg)](https://travis-ci.org/strikeentco/set)  [![node](https://img.shields.io/node/v/@strikeentco/set.svg)](https://www.npmjs.com/package/@strikeentco/set) [![Test Coverage](https://api.codeclimate.com/v1/badges/450e530044d31f690dc5/test_coverage)](https://codeclimate.com/github/strikeentco/set/test_coverage) [![bitHound Score](https://www.bithound.io/github/strikeentco/set/badges/score.svg)](https://www.bithound.io/github/strikeentco/set)
+[![Build Status](https://travis-ci.org/strikeentco/set.svg)](https://travis-ci.org/strikeentco/set)  [![node](https://img.shields.io/node/v/@strikeentco/set.svg)](https://www.npmjs.com/package/@strikeentco/set) [![Test Coverage](https://api.codeclimate.com/v1/badges/450e530044d31f690dc5/test_coverage)](https://codeclimate.com/github/strikeentco/set/test_coverage)
 
-One of the smallest (*24 sloc*) and most effective implementations of setting a nested value on an object.
+One of the smallest (*31 sloc*) and most effective implementations of setting a nested value on an object.
 
 # Usage
 
@@ -41,4 +41,4 @@ set({ a: { b: 'c' } }, 'a:b', 'd', ':');
 ## License
 
 The MIT License (MIT)<br/>
-Copyright (c) 2018 Alexey Bystrov
+Copyright (c) 2018-present Alexey Bystrov

main.js

@@ -1,22 +1,39 @@
 'use strict';
 
-const isObject = val => typeof val === 'object' || typeof val === 'function';
+/* eslint-disable no-continue */
+
+const isObject = (val) => typeof val === 'object' || typeof val === 'function';
+const isProto = (val, obj) => val === '__proto__' || (val === 'constructor' && typeof obj.constructor === 'function');
 const set = (obj, parts, length, val) => {
   let tmp = obj;
   let i = 0;
   for (; i < length - 1; i++) {
     const part = parts[i];
+    if (isProto(part, tmp)) {
+      continue;
+    }
     tmp = !isObject(tmp[part]) ? tmp[part] = {} : tmp[part];
   }
   tmp[parts[i]] = val;
   return obj;
 };
 
+/**
+* Sets nested values on an object using a dot path or custom separator
+* @param {Object} obj
+* @param {String|Array} path
+* @param {Any} val
+* @param {String} [sep = '.']
+* @returns {Object}
+*/
 module.exports = (obj, path, val, sep = '.') => {
   if (!isObject(obj) || !path || !path.length) {
     return obj;
   }
   const parts = Array.isArray(path) ? path : String(path).split(sep);
+  if (isProto(parts[0], obj)) {
+    return obj;
+  }
   const { length } = parts;
   if (length === 1) {
     obj[parts[0]] = val;